UF Health Sued for HIPAA Violations After “Cybersecurity Event”

On Thursday, a case was removed from the Circuit Court for Fifth Judicial Circuit for Lake County to the Middle District of Florida. The case was originally filed by a patient against UF Health Central Florida and its affiliates and concerns the theft of personally identifiable records in violation of HIPAA due to an electronic infiltration of the UF Health Central Florida computer systems.

The Health Insurance Portability and Accountability Act (HIPAA) permits medical facilities to collect information such as social security numbers, first and last names, birthdates, addresses, and other data known as personal health information (PHI) in order to facilitate both medical treatment and the billing process. However, the medical centers are placed under an obligation to protect this information from unauthorized use and from unauthorized access. These obligations include a proactive responsibility to protect the databases used to store this information from cyber infiltration.

The plaintiff is suing on behalf of a class of patients whose information was accessed due to an episode of cyber infiltration. The plaintiff accuses the defendants of retaining PHI beyond the time period during which it was required which made more information available to the hack than was required. The plaintiff also accuses the defendants of not taking sufficient steps to prevent the accessibility, including encrypting the information as well as siloing it from internet access so that it could not be hacked.

The patient is suing for negligence, breach of contract relating to the defendants privacy policy, and breach of fiduciary duty. The plaintiff is represented by Morgan & Morgan, while the defendant is represented by Baker Hostetler